Listen 3081 ServerName {{ inventory_hostname }} ServerAdmin infra-root@opendev.org DocumentRoot /var/www/opendev.org Require all granted Order allow,deny Allow from all AllowEncodedSlashes On ErrorLog ${APACHE_LOG_DIR}/gitea-ssl-error.log LogLevel warn LogFormat "%h:%{remote}p %A:%{proxy-source-port}n %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combinedport CustomLog ${APACHE_LOG_DIR}/gitea-ssl-access.log combinedport SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # Note: this list should ensure ciphers that provide forward secrecy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer SSLProxyEngine on Header set Access-Control-Allow-Origin "*" Use UserAgentFilter # Disable x-forwarded- headers because gitea logging can't # parse them properly ProxyAddHeaders Off ProxyPass /.well-known/ ! ProxyPass / https://{{ inventory_hostname }}:3000/ retry=0 ProxyPassReverse / https://{{ inventory_hostname }}:3000/